The answer to this is a bit complex. POPIA, for example, states that “where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify the Information Regulator and data subject. There are many cybercrimes in the Cybercrime Act, including the crime of unlawful access, which is essentially the unlawful and intentional access to a computer or data. Therefore, if the data breach meets the requirements of a crime in a particular cybercrime law like the Cybercrimes Act, it would also be a cybercrime.